STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

DISA Rule

SV-217061r639663_rule

Vulnerability Number

V-217061

Group Title

SRG-NET-000362-RTR-000118

Rule Version

JUNI-RT-000550

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Configure a route filter to reject any prefix that is longer than /24.

[edit policy-options]
set policy-statement NO_LONG_PREFIXES from route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject

Apply the policy statement to the BGP customer groups.

[edit protocols bgp group CUST1]
set import NO_LONG_PREFIXES
[edit protocols bgp group CUST2]
set import NO_LONG_PREFIXES

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Verify that a policy statement has been configured to reject prefixes longer than /24 or the least significant prefixes issued to the customers as shown in the example below.

policy-options {



}
policy-statement NO_LONG_PREFIXES {
from {
route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject;
}
}

Note: It may be necessary to configure separate policy statements depending on the address space issued to each customer.

Verify that there is an import statement referencing the policy statement to filter prefix length.

protocols {
bgp {



}
group CUST1 {
type external;
import [ FILTER_CUST1_ROUTES NO_LONG_PREFIXES ];
peer-as 55;
neighbor x.x.x.x;
neighbor x.x.x.x;
}
group CUST2 {
type external;
import [ FILTER_CUST1_ROUTES NO_LONG_PREFIXES ];
peer-as 44;
neighbor x.x.x.x;
neighbor x.x.x.x;
}

If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

Vulnerability Number

V-217061

Documentable

False

Rule Version

JUNI-RT-000550

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Verify that a policy statement has been configured to reject prefixes longer than /24 or the least significant prefixes issued to the customers as shown in the example below.

policy-options {



}
policy-statement NO_LONG_PREFIXES {
from {
route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject;
}
}

Note: It may be necessary to configure separate policy statements depending on the address space issued to each customer.

Verify that there is an import statement referencing the policy statement to filter prefix length.

protocols {
bgp {



}
group CUST1 {
type external;
import [ FILTER_CUST1_ROUTES NO_LONG_PREFIXES ];
peer-as 55;
neighbor x.x.x.x;
neighbor x.x.x.x;
}
group CUST2 {
type external;
import [ FILTER_CUST1_ROUTES NO_LONG_PREFIXES ];
peer-as 44;
neighbor x.x.x.x;
neighbor x.x.x.x;
}

If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

Check Content Reference

M

Target Key

4032

Comments